<!DOCTYPE html>
<html lang="en-US" class="html_stretched responsive av-preloader-disabled av-default-lightbox  html_header_top html_logo_left html_main_nav_header html_menu_right html_slim html_header_sticky html_header_shrinking html_mobile_menu_tablet html_header_searchicon_disabled html_content_align_center html_header_unstick_top_disabled html_header_stretch html_minimal_header html_burger_menu html_av-overlay-side html_av-overlay-side-classic html_av-submenu-noclone html_entry_id_422 av-cookies-no-cookie-consent av-no-preview html_burger_menu_active ">
<head>
<meta charset="UTF-8" />


<!-- mobile setting -->
<meta name="viewport" content="width=device-width, initial-scale=1">

<!-- Scripts/CSS and wp_head hook -->
<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v17.8 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials - Cado Security | Cloud Native Digital Forensics</title>
	<link rel="canonical" href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials - Cado Security | Cloud Native Digital Forensics" />
	<meta property="og:description" content="Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes [&hellip;]" />
	<meta property="og:url" content="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" />
	<meta property="og:site_name" content="Cado Security | Cloud Native Digital Forensics" />
	<meta property="article:published_time" content="2020-08-16T18:20:29+00:00" />
	<meta property="article:modified_time" content="2021-10-08T13:58:01+00:00" />
	<meta property="og:image" content="https://www.cadosecurity.com/wp-content/uploads/CADO-Security-Blog-Team-TNT.jpg" />
	<meta property="og:image:width" content="1140" />
	<meta property="og:image:height" content="700" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@chrisdoman" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Chris Doman" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="5 minutes" />
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Cado Security | Cloud Native Digital Forensics &raquo; Feed" href="https://www.cadosecurity.com/feed/" />
<link rel='stylesheet' id='avia-grid-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/grid.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-base-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/base.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-layout-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/layout.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-button-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/buttons.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-buttonrow-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/buttonrow.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-buttonrow-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_buttonrow.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-button-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_buttons.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-bulma-grid-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/bulma-grid.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-flickity-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/flickity.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-flickity-slider-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_flickity_slider.css?ver=0.1.9.39' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-custom-menu-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_custom_menu.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-heading-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/heading.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-hr-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/hr.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-hr-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_hr.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-icon-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/icon.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-icon-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_icon.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-image-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/image.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-image-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_image.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-grids-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_grids.css?ver=0.1.9.39' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-item-grid-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_item_grid.css?ver=0.1.9.39' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-post-grid-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_posts_grid.css?ver=0.1.9.39' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-social-profiles-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_social_profiles.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-textblock-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_textblock.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-column-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_columns.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-section-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_section.css?ver=0.1.9.39' type='text/css' media='' />
<link rel='stylesheet' id='avia-module-ep-lottie-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus-lotties/assets/css/lottie.css?ver=1.2.7' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-social-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/social_share.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-video-css'  href='https://www.cadosecurity.com/wp-content/themes/enfold/config-templatebuilder/avia-shortcodes/video/video.css?ver=5.8.2' type='text/css' media='all' />
<link rel='stylesheet' id='mkaz-code-syntax-prism-css-css'  href='https://www.cadosecurity.com/wp-content/plugins/code-syntax-block/assets/prism-a11y-dark.css?ver=1637694470' type='text/css' media='all' />
<link rel='stylesheet' id='avia-scs-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-ep-shortcodes-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-plus/assets/css/ep_shortcodes.css?ver=0.1.9.39' type='text/css' media='all' />
<link rel='stylesheet' id='wp-job-manager-job-listings-css'  href='https://www.cadosecurity.com/wp-content/plugins/wp-job-manager/assets/dist/css/job-listings.css?ver=d866e43503c5e047c6b0be0a9557cf8e' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-table-css'  href='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/dist/avia/shortcodes/table.css?ver=1.2.8' type='text/css' media='all' />
<link rel='stylesheet' id='avia-module-main-css'  href='https://www.cadosecurity.com/wp-content/themes/cado/assets/css/main.css?ver=3' type='text/css' media='all' />
<link rel='stylesheet' id='theme-single-common-css'  href='https://www.cadosecurity.com/wp-content/themes/cado/assets/css/single-common.css?ver=3' type='text/css' media='all' />
<link rel='stylesheet' id='theme-gutenberg-css'  href='https://www.cadosecurity.com/wp-content/themes/cado/assets/css/gutenberg.css?ver=3' type='text/css' media='all' />
<script type='text/javascript' src='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/js/dist/avia/avia-compat.js?ver=1.2.8' id='avia-compat-js'></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.cadosecurity.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.cadosecurity.com/wp-includes/wlwmanifest.xml" /> 
<link rel='shortlink' href='https://www.cadosecurity.com/?p=422' />
<link rel="alternate" type="application/json+oembed" href="https://www.cadosecurity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.cadosecurity.com%2Fteam-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.cadosecurity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.cadosecurity.com%2Fteam-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials%2F&#038;format=xml" />
	<script>document.addEventListener("DOMContentLoaded",function(){document.documentElement.style.setProperty("--scrollBarWidth",window.innerWidth-document.body.clientWidth+"px")});</script>
	<!-- Head & Footer Code: Site-wide HEAD section start (post) -->
 <!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-P9BDTK9');</script>
<!-- End Google Tag Manager -->


<style>
html .menu-main-navigation-container .main-menu .no-icon .avia-menu-text::after{
display: none !important;
}
</style>

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-163801898-1"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-163801898-1');
</script>

<!-- Start of HubSpot Embed Code -->
<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/14518100.js"></script>
<!-- End of HubSpot Embed Code -->
<!-- Head & Footer Code: Site-wide HEAD section end (post) -->
<link rel="profile" href="http://gmpg.org/xfn/11" />
<link rel="alternate" type="application/rss+xml" title="Cado Security | Cloud Native Digital Forensics RSS2 Feed" href="https://www.cadosecurity.com/feed/" />
<link rel="pingback" href="https://www.cadosecurity.com/xmlrpc.php" />
<!--[if lt IE 9]><script src="https://www.cadosecurity.com/wp-content/themes/enfold/js/html5shiv.js"></script><![endif]-->
<link rel="icon" href="/wp-content/uploads/Cado-Security-Favicon-–-2.png" type="image/png">
	<script>
	if( window.MSInputMethodContext && document.documentMode ){
		document.write('<link rel="stylesheet" href="https://www.cadosecurity.com/wp-content/themes/cado/assets/css/ie.css">');
	}
	</script>
	<style type='text/css'>
@font-face {font-family: 'fa-fontello'; font-weight: normal; font-style: normal; font-display: auto;
src: url('https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/fonts/fa-fontello.woff2') format('woff2'),
url('https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/fonts/fa-fontello.woff') format('woff'),
url('https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/fonts/fa-fontello.ttf') format('truetype'), 
url('https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/fonts/fa-fontello.svg#fa-fontello') format('svg'),
url('https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/fonts/fa-fontello.eot'),
url('https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/fonts/fa-fontello.eot?#iefix') format('embedded-opentype');
} #top .avia-font-fa-fontello, body .avia-font-fa-fontello, html body [data-av_iconfont='fa-fontello']:before{ font-family: 'fa-fontello'; }

@font-face {font-family: 'cado-icons'; font-weight: normal; font-style: normal; font-display: auto;
src: url('https://www.cadosecurity.com/wp-content/uploads/avia_fonts/cado-icons/cado-icons.woff2') format('woff2'),
url('https://www.cadosecurity.com/wp-content/uploads/avia_fonts/cado-icons/cado-icons.woff') format('woff'),
url('https://www.cadosecurity.com/wp-content/uploads/avia_fonts/cado-icons/cado-icons.ttf') format('truetype'), 
url('https://www.cadosecurity.com/wp-content/uploads/avia_fonts/cado-icons/cado-icons.svg#cado-icons') format('svg'),
url('https://www.cadosecurity.com/wp-content/uploads/avia_fonts/cado-icons/cado-icons.eot'),
url('https://www.cadosecurity.com/wp-content/uploads/avia_fonts/cado-icons/cado-icons.eot?#iefix') format('embedded-opentype');
} #top .avia-font-cado-icons, body .avia-font-cado-icons, html body [data-av_iconfont='cado-icons']:before{ font-family: 'cado-icons'; }
</style>

<!--
Debugging Info for Theme support: 

Theme: Enfold
Version: 4.8.6.2
Installed: enfold
AviaFramework Version: 5.0
AviaBuilder Version: 4.8
aviaElementManager Version: 1.0.1
- - - - - - - - - - -
ChildTheme: Cado
ChildTheme Version: 1.0.0
ChildTheme Installed: enfold

ML:512-PU:64-PLA:22
WP:5.8.2
Compress: CSS:disabled - JS:disabled
Updates: enabled - token has changed and not verified
PLAu:21
-->
</head>




<body id="top" class="post-template-default single single-post postid-422 single-format-standard  rtl_columns stretched avia-responsive-images-support cado">

	<!-- Head & Footer Code: Site-wide BODY section start (post) -->
 <!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-P9BDTK9"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<!-- Head & Footer Code: Site-wide BODY section end (post) -->

	<div id='wrap_all'>

	
<div id="header" class="header ">
	<div class="header-inner">
		<div class="header-logo">
			        <a href="https://www.cadosecurity.com" class="logo-main">
            <svg id="Logo_White" data-name="Logo White" xmlns="http://www.w3.org/2000/svg" width="439.741" height="86.317" viewBox="0 0 439.741 86.317">
                <g id="Layer_2" data-name="Layer 2">
                    <g id="Layer_1-2" data-name="Layer 1-2">
                    <path id="Path_15589" data-name="Path 15589" d="M425.371,2.29h16.423L414.423,86.413H398Z" transform="translate(-34.898 -0.197)" fill="#56c09d"/>
                    <path id="Path_15590" data-name="Path 15590" d="M461.371,2.29h16.423L450.423,86.413H434Z" transform="translate(-38.053 -0.197)" fill="#56c09d"/>
                    <path id="Path_93" data-name="Path 93" d="M68.667,56.18a28.777,28.777,0,1,1-2-29.388l11.3-8.906a43.2,43.2,0,1,0,3.5,44.8Z" transform="translate(-0.024 -0.002)" fill="#fff"/>
                    <path id="Path_94" data-name="Path 94" d="M145.595,2.28H128.807L99,86.4h15.218l7.8-23.435,4.069-12.262,11.04-33.53h.119L148.4,50.705l4.069,12.262,7.81,23.435h15.182Z" transform="translate(-8.697 -0.196)" fill="#fff"/>
                    <path id="Path_95" data-name="Path 95" d="M316.379,72.419a30.652,30.652,0,1,1,31.44.457l8.467,12.856a46.04,46.04,0,1,0-47.963-.2Z" transform="translate(-25.117 -0.001)" fill="#fff"/>
                    <path id="Path_104" data-name="Path 104" d="M224.5,2.28H198.48V54.143h14.9V15.255h9.2c22.189,0,29.269,14.063,29.269,29.342s-7.071,28.839-29.269,28.839h-24.1V86.4H224.5c28.283,0,42.443-17.785,42.443-41.814S252.784,2.28,224.5,2.28Z" transform="translate(-17.414 -0.196)" fill="#fff"/>
                    </g>
                </g>
            </svg>
        </a>
    			        <a href="https://www.cadosecurity.com" class="logo-alternate">
            <svg id="Grupo_123" data-name="Grupo 123" xmlns="http://www.w3.org/2000/svg" width="141.837" height="57.084" viewBox="0 0 141.837 57.084">
                <path id="Trazado_93" data-name="Trazado 93" d="M400.407,368.512a11.514,11.514,0,1,1-.8-11.765l4.535-3.565a17.283,17.283,0,1,0,1.4,17.935Z" transform="translate(-372.847 -346.019)" fill="#fff"/>
                <path id="Trazado_94" data-name="Trazado 94" d="M428.16,346.862h-6.736l-11.98,33.68h6.111l3.127-9.382,1.636-4.908,4.427-13.424h.048l4.475,13.424,1.636,4.908,3.127,9.382h6.11Z" transform="translate(-373.212 -346.027)" fill="#fff"/>
                <path id="Trazado_95" data-name="Trazado 95" d="M490.792,375.013a12.319,12.319,0,1,1,12.615.182l3.4,5.149a18.491,18.491,0,1,0-19.247-.082Z" transform="translate(-373.904 -346.019)" fill="#fff"/>
                <g id="Grupo_39" data-name="Grupo 39" transform="translate(5.329 47.758)">
                    <path id="Trazado_96" data-name="Trazado 96" d="M378.948,401.6a3.238,3.238,0,0,0,2.409.961c.678,0,1.678-.154,1.678-1.333,0-.795-.461-1.281-1.435-1.666l-.871-.345c-1.256-.5-2.281-1.179-2.281-2.6,0-1.628,1.371-2.357,2.857-2.357a4.311,4.311,0,0,1,2.652.91l-.615.883a3.455,3.455,0,0,0-2.114-.768c-.653,0-1.538.192-1.538,1.255,0,.782.474,1.2,1.422,1.575l.87.347c1.218.486,2.281,1.178,2.281,2.638,0,1.538-1.178,2.486-3.049,2.486a4.169,4.169,0,0,1-2.985-1.128Z" transform="translate(-378.23 -394.258)" fill="#fff"/>
                    <path id="Trazado_97" data-name="Trazado 97" d="M397.065,403.381v-8.968h4.971v1H398.27V398.2h3.51v1h-3.51v3.177h3.971v1Z" transform="translate(-378.418 -394.26)" fill="#fff"/>
                    <path id="Trazado_98" data-name="Trazado 98" d="M422.816,401.329a4.2,4.2,0,0,1-3.868,2.255,4.669,4.669,0,0,1,.026-9.326,4.119,4.119,0,0,1,3.676,1.959l-.9.6A3.048,3.048,0,0,0,419,395.283c-1.844,0-3.191,1.358-3.191,3.638s1.346,3.638,3.229,3.638a3.022,3.022,0,0,0,2.883-1.82Z" transform="translate(-378.592 -394.258)" fill="#fff"/>
                    <path id="Trazado_99" data-name="Trazado 99" d="M440.633,394.413h1.2v5.636a3.587,3.587,0,0,1-.781,2.614,3.877,3.877,0,0,1-5.021,0,3.583,3.583,0,0,1-.782-2.614v-5.636h1.2v5.918a2.239,2.239,0,0,0,.5,1.639,2.433,2.433,0,0,0,3.177,0,2.243,2.243,0,0,0,.5-1.639Z" transform="translate(-378.799 -394.26)" fill="#fff"/>
                    <path id="Trazado_100" data-name="Trazado 100" d="M459.888,403.381l-2.562-4.048h-.974v4.048h-1.2v-8.968h2.434c2.1,0,2.767,1.179,2.767,2.459a2.169,2.169,0,0,1-1.741,2.332l2.7,4.177Zm-2.5-5.048c.974,0,1.691-.41,1.691-1.46s-.717-1.46-1.691-1.46h-1.038v2.921Z" transform="translate(-378.997 -394.26)" fill="#fff"/>
                    <path id="Trazado_101" data-name="Trazado 101" d="M473.607,403.381v-8.968h1.2v8.968Z" transform="translate(-379.182 -394.26)" fill="#fff"/>
                    <path id="Trazado_102" data-name="Trazado 102" d="M489.178,403.381v-7.943h-2.972v-1.025h7.149v1.025h-2.972v7.943Z" transform="translate(-379.307 -394.26)" fill="#fff"/>
                    <path id="Trazado_103" data-name="Trazado 103" d="M505.9,403.381v-3.792l-3.19-5.176h1.281l2.511,4.176,2.511-4.176H510.3l-3.19,5.176v3.792Z" transform="translate(-379.472 -394.26)" fill="#fff"/>
                </g>
                <path id="Trazado_104" data-name="Trazado 104" d="M456.691,346.862H446.25v20.745h5.98V352.058h3.691c8.9,0,11.74,5.63,11.74,11.741s-2.838,11.548-11.74,11.548H446.25v5.2h10.441c11.355,0,17.032-7.12,17.032-16.743S468.045,346.862,456.691,346.862Z" transform="translate(-373.579 -346.027)" fill="#fff"/>
            </svg>
        </a>
    		</div>
		<div class="header-menu">
			<div class="menu-main-navigation-container"><ul id="menu-main-navigation" class="main-menu"><li id="menu-item-669" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Platform</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-725" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/platform/"><span class="avia-bullet"></span><span class="avia-menu-text">Platform Overview</span></a></li>
	<li id="menu-item-726" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/environments/"><span class="avia-bullet"></span><span class="avia-menu-text">Environments</span></a></li>
	<li id="menu-item-724" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/use-cases/"><span class="avia-bullet"></span><span class="avia-menu-text">Use Cases</span></a></li>
</ul>
</li>
<li id="menu-item-670" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-2"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Company</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-728" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/about/"><span class="avia-bullet"></span><span class="avia-menu-text">About</span></a></li>
	<li id="menu-item-729" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/team/"><span class="avia-bullet"></span><span class="avia-menu-text">Team</span></a></li>
	<li id="menu-item-730" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/careers/"><span class="avia-bullet"></span><span class="avia-menu-text">Careers</span></a></li>
	<li id="menu-item-731" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/partners/"><span class="avia-bullet"></span><span class="avia-menu-text">Partners</span></a></li>
	<li id="menu-item-732" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/news/"><span class="avia-bullet"></span><span class="avia-menu-text">News</span></a></li>
</ul>
</li>
<li id="menu-item-3202" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-3"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Resources</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-3201" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/resources/"><span class="avia-bullet"></span><span class="avia-menu-text">Resources</span></a></li>
	<li id="menu-item-735" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/blog/"><span class="avia-bullet"></span><span class="avia-menu-text">Blog</span></a></li>
	<li id="menu-item-2175" class="menu-item menu-item-type-custom menu-item-object-custom"><a target="_blank" href="https://docs.cadosecurity.com/" rel="noopener"><span class="avia-bullet"></span><span class="avia-menu-text">Documentation</span></a></li>
</ul>
</li>
<li id="menu-item-736" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-4"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Community</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-739" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-live/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Live</span></a></li>
	<li id="menu-item-740" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-host/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Host</span></a></li>
	<li id="menu-item-742" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-cloud-collector/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Cloud Collector</span></a></li>
</ul>
</li>
<li id="menu-item-677" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-top-level menu-item-top-level-5"><a href="https://cadosecurity.com/contact/"><span class="avia-bullet"></span><span class="avia-menu-text">Contact</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a></li>
<li id="menu-item-846" class="no-icon menu-item menu-item-type-post_type menu-item-object-page av-menu-button av-menu-button-colored menu-item-top-level menu-item-top-level-6"><a href="https://www.cadosecurity.com/free-investigation/"><span class="avia-bullet"></span><span class="avia-menu-text">Free Investigation</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a></li>
</ul></div>		</div>
		<button class="hamburger-toggle">
			<div class="burger-box"></div>
		</button>
	</div>
	<div class="hamburger-overlay"></div>
	<div class="hamburger-content">
		<div class="hamburger-content-inner">
			<div class="menu-main-navigation-container"><ul id="menu-main-navigation-1" class="main-menu"><li id="menu-item-669" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Platform</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-725" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/platform/"><span class="avia-bullet"></span><span class="avia-menu-text">Platform Overview</span></a></li>
	<li id="menu-item-726" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/environments/"><span class="avia-bullet"></span><span class="avia-menu-text">Environments</span></a></li>
	<li id="menu-item-724" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/use-cases/"><span class="avia-bullet"></span><span class="avia-menu-text">Use Cases</span></a></li>
</ul>
</li>
<li id="menu-item-670" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-2"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Company</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-728" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/about/"><span class="avia-bullet"></span><span class="avia-menu-text">About</span></a></li>
	<li id="menu-item-729" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/team/"><span class="avia-bullet"></span><span class="avia-menu-text">Team</span></a></li>
	<li id="menu-item-730" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/careers/"><span class="avia-bullet"></span><span class="avia-menu-text">Careers</span></a></li>
	<li id="menu-item-731" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/partners/"><span class="avia-bullet"></span><span class="avia-menu-text">Partners</span></a></li>
	<li id="menu-item-732" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/news/"><span class="avia-bullet"></span><span class="avia-menu-text">News</span></a></li>
</ul>
</li>
<li id="menu-item-3202" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-3"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Resources</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-3201" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/resources/"><span class="avia-bullet"></span><span class="avia-menu-text">Resources</span></a></li>
	<li id="menu-item-735" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/blog/"><span class="avia-bullet"></span><span class="avia-menu-text">Blog</span></a></li>
	<li id="menu-item-2175" class="menu-item menu-item-type-custom menu-item-object-custom"><a target="_blank" href="https://docs.cadosecurity.com/" rel="noopener"><span class="avia-bullet"></span><span class="avia-menu-text">Documentation</span></a></li>
</ul>
</li>
<li id="menu-item-736" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-4"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Community</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-739" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-live/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Live</span></a></li>
	<li id="menu-item-740" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-host/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Host</span></a></li>
	<li id="menu-item-742" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-cloud-collector/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Cloud Collector</span></a></li>
</ul>
</li>
<li id="menu-item-677" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-top-level menu-item-top-level-5"><a href="https://cadosecurity.com/contact/"><span class="avia-bullet"></span><span class="avia-menu-text">Contact</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a></li>
<li id="menu-item-846" class="no-icon menu-item menu-item-type-post_type menu-item-object-page av-menu-button av-menu-button-colored menu-item-top-level menu-item-top-level-6"><a href="https://www.cadosecurity.com/free-investigation/"><span class="avia-bullet"></span><span class="avia-menu-text">Free Investigation</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a></li>
</ul></div>		</div>
	</div>
</div>		
	<div id='main' class='all_colors' data-scroll-offset='100'>

	
<div class="single-hero-section avia-section alternate_color avia-section-default avia-no-border-styling avia-builder-el-0 el_before_av_section avia-builder-el-first container_wrap fullsize">
	<div class="container">
		<div class="content">
			<div class="entry-content-wrapper">
				<div class="cado-clouds   avia-builder-el-2  el_after_av_hr  avia-builder-el-last ">
					<img src="/wp-content/uploads/Cloud-5-Dark-BG.svg" loading="lazy" class="cado-cloud av-animated-generic fade-in disable-tablet avia_start_delayed_animation" style="--cloudPosTopWide:50%;--cloudPosLeftWide:0;--cloudTransWide:translateY(-50%) translateX(-127%);">
					<img src="/wp-content/uploads/Cloud-3-Dark-BG.svg" loading="lazy" class="cado-cloud av-animated-generic fade-in disable-tablet avia_start_delayed_animation" style="--cloudPosTopWide:50%;--cloudPosRightWide:0;--cloudTransWide:translateX(110%);">
				</div>
									<div class="post-tax">
						<span class='ep-item-term ep-item-term-blog' >Blog</span>					</div>
								<div class="post-date">August 16, 2020</div>
				<h1 class="post-title">Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials</h1>
			</div>
		</div>
	</div>
</div>

<div class="single-content-section avia-section main_color avia-section-default avia-no-border-styling container_wrap fullsize">
	<div class="container">
		<div class="content">
			<div class="entry-content-wrapper">
								
<p>Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.</p>



<p>These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there.</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" width="1030" height="431" src="https://cadosecurity.com/wp-content/uploads/Post-Team-TNT-First-Crypto-197f18_95602df431744002b3157470e80789d8_mv2-1030x431.png" alt="" class="wp-image-2554"/><figcaption><strong>Figure 1: </strong>The message the TeamTNT worm prints to the screen when first run.</figcaption></figure></div>



<h5><strong>AWS Credential Theft</strong></h5>



<p>The AWS CLI stores credentials in an <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html" target="_blank" rel="noreferrer noopener">unencrypted file</a> at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.</p>



<p>The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS .credentials and .config files to the attackers server, sayhi.bplace[.]net:</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" width="1030" height="377" src="https://cadosecurity.com/wp-content/uploads/Team-TNT-First-Crypto-197f18_c147c2ca5ed14a469b846c7b91c20d36_mv2-1030x377.png" alt="" class="wp-image-2558"/><figcaption><strong>Figure 2: </strong>Code to steal AWS credentials from compromised systems.</figcaption></figure></div>



<p>Curl is used to send the AWS credentials to TeamTNT’s server, which responds with the message “THX”:</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" width="772" height="642" src="https://cadosecurity.com/wp-content/uploads/Team-TNT-–-The-First-Crypto-197f18_7e8f719470154dc6823955e4a1ceaaa7_mv2.png" alt="" class="wp-image-2562"/><figcaption><strong>Figure 3: </strong>The network traffic generated by stolen AWS credentials.</figcaption></figure></div>



<p>We sent credentials created by <a href="https://canarytokens.org/generate" target="_blank" rel="noreferrer noopener">CanaryTokens.org</a> to TeamTNT, however have not seen them in use yet. This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.</p>



<h5>Proliferation</h5>



<p>Most crypto-mining worms are an amalgamation of previous worms as authors copy and paste their competitors code. TeamTNT’s worm contains code copied from another worm named Kinsing, which is designed to stop the Alibaba Cloud Security tools:</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" width="1030" height="216" src="https://cadosecurity.com/wp-content/uploads/Team-TNT-–-The-First-Crypto-197f18_e4914cc8e53b4ea29c39ce0a879479b8_mv2-1030x216.png" alt="" class="wp-image-2564"/><figcaption><strong>Figure 4: </strong>Repurposed code to stop the Alibaba Cloud Security tools.</figcaption></figure></div>



<p>In turn, it is likely we will see other worms start to copy the ability to steal AWS Credentials files too.</p>



<h5><strong>Docker</strong></h5>



<p>The worm also includes code to scan for open Docker API’s using <a href="https://github.com/robertdavidgraham/masscan" target="_blank" rel="noreferrer noopener">masscan</a>, then spin up docker images and install itself:</p>



<div class="wp-block-image"><figure class="aligncenter size-large is-resized"><img loading="lazy" src="https://cadosecurity.com/wp-content/uploads/Team-TNT-–-The-First-Crypto-197f18_b160f3e1d2a34d1786e12a1d54392023_mv2-1030x632.png" alt="" class="wp-image-2565" width="773" height="474"/><figcaption><strong>Figure 5: </strong>Code to scan for open Docker APIs, then install the worm in a new container.</figcaption></figure></div>



<h5><strong>Post Exploitation</strong></h5>



<p>The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the <a href="https://moneroocean.stream/" target="_blank" rel="noreferrer noopener">Mining pools</a> they use provides detailed information about the systems the worm has compromised:</p>



<div class="wp-block-image"><figure class="aligncenter size-large is-resized"><img loading="lazy" src="https://cadosecurity.com/wp-content/uploads/Team-TNT-–-The-First-Crypto-197f18_c86da986d94a4a97952e5f0e2f780905_mv2-1030x496.png" alt="" class="wp-image-2566" width="773" height="372"/><figcaption><strong>Figure 6: </strong>The statistics for the Monero wallet (below) on the Monero Ocean mining pool.</figcaption></figure></div>



<p>This page lists 119 compromised systems, some of which can be identified as Kubernetes Clusters and Jenkins Build Servers.So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about 3 XMR. That equates to only about $300 USD, however this is only one of their many campaigns.The worm also deploys a number of openly available malware and offensive security tools:</p>



<ul><li>punk.py – A SSH post-exploitation tool</li><li>A log cleaning tool</li><li>Diamorphine Rootkit</li><li>Tsunami IRC Backdoor</li></ul>



<h5><strong>TeamTNT</strong></h5>



<p>The worm contains numerous references to “TeamTNT” and the domain teamtnt[.]red. The domain hosts malware, and the homepage titled “TeamTNT RedTeamPentesting” is an odd reference to public malware sandboxes:</p>



<div class="wp-block-image"><figure class="aligncenter size-large is-resized"><img loading="lazy" src="https://cadosecurity.com/wp-content/uploads/Team-TNT-–-The-First-Crypto-Team-TNT-Red-1030x670.png" alt="" class="wp-image-2572" width="773" height="503"/><figcaption><strong>Figure 7: </strong>The home page for teamtnt[.]red.</figcaption></figure></div>



<h5 id="viewer-1qa5"><strong>Conclusion</strong></h5>



<p id="viewer-dl0qj">Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems.</p>



<p id="viewer-5utah">Below are some suggestions to help protect them:</p>



<ul><li>Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems.</li><li>Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.</li><li>Review network traffic for any connections to mining pools, or using the Stratum mining protocol.</li><li>Review any connections sending the AWS Credentials file over HTTP.</li></ul>



<h5 id="viewer-67beh"><strong>Previous Work</strong></h5>



<p id="viewer-69j85">We would like to credit the previous research on TeamTNT by <a href="https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports" target="_blank" rel="noreferrer noopener">Trend Micro</a>, <a href="https://twitter.com/malwrhunterteam/status/1256664761997148161" target="_blank" rel="noreferrer noopener">Malware Hunter Team</a> and <a href="https://www.virustotal.com/gui/user/r3dbU7z/comments" target="_blank" rel="noreferrer noopener">r3dbU7z</a>.</p>



<pre title="Yara Rule" class="wp-block-code"><code lang="bash" class="language-bash">rule TeamTNT_Worm_August_2020 {

   meta:

      description = “Detects TeamTNT Worm”

      author = “cdoman@cadosecurity.com”

      date = “2020-08-16”

      license = “Apache License 2.0”

      hash1 = “3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f”

      hash2 = “929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b”

      hash3 = “705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0”

   strings:

      $a = “echo $LOCKFILE | base64 -d &gt; $tmpxmrigfile” wide ascii

      $b = “/root/.tmp/xmrig –config=/root/.tmp/” wide ascii

      $c = “if [ -s /usr/bin/curl ]; then” wide ascii

      $d = “echo ‘found: /root/.aws/credentials'” wide ascii

      $e = “function KILLMININGSERVICES(){” wide ascii

      $f = “hilde@teamtnt.red” wide ascii

      $g = “touch /root/.ssh/authorized_keys 2&gt;/dev/null 1&gt;/dev/null” wide ascii

      $h = “rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service” wide ascii

      $i = “userfile=@/root/.ssh/id_ed25519.pub” wide ascii

   condition:

      filesize &lt; 100KB and 1 of them

}</code></pre>



<h5><strong>Monero Wallets</strong></h5>



<ul><li>88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQrNz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k</li><li>85X7JcgPpwQdZXaK2TKJb8baQAXc3zBsnW7JuY7MLi9VYSamf4bFwa7SEAK9Hgp2P53npV19w1zuaK5bft5m2NN71CmNLoh</li></ul>



<h5><strong>Domain Names</strong></h5>



<ul><li>6z5yegpuwg2j4len.tor2web[.]su</li><li>dockerupdate.anondns[.]net</li><li>teamtntisback.anondns[.]net</li><li>sayhi.bplaced[.]net</li><li>teamtnt[.]red</li><li>healthymiami[.]com (Compromised)</li><li>rhuancarlos.inforgeneses.inf[.]br (Compromised)</li></ul>



<h5><strong>IP Addresses</strong></h5>



<ul><li>129.211.98[.]236</li><li>85.214.149[.]236</li><li>203.195.214[.]104</li></ul>



<h5><strong>File-Hashes</strong></h5>



<ul><li>3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f</li><li>929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b</li><li>705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0</li></ul>
									<div class="bottom-content">
						<div class="social-share"><div class="av-share-box"><h5 class='av-share-link-description av-no-toc '>Share this entry</h5><ul class="av-share-box-list noLightbox"><li class='av-share-link av-social-link-facebook' ><a target="_blank" aria-label="Share on Facebook" href='https://www.facebook.com/sharer.php?u=https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/&#038;t=Team%20TNT%20%E2%80%93%20The%20First%20Crypto-Mining%20Worm%20to%20Steal%20AWS%20Credentials' aria-hidden='false' data-av_icon='' data-av_iconfont='cado-icons' title='' data-avia-related-tooltip='Share on Facebook' rel="noopener"><span class='avia_hidden_link_text'>Share on Facebook</span></a></li><li class='av-share-link av-social-link-twitter' ><a target="_blank" aria-label="Share on Twitter" href='https://twitter.com/share?text=Team%20TNT%20%E2%80%93%20The%20First%20Crypto-Mining%20Worm%20to%20Steal%20AWS%20Credentials&#038;url=https://www.cadosecurity.com/?p=422' aria-hidden='false' data-av_icon='' data-av_iconfont='fa-fontello' title='' data-avia-related-tooltip='Share on Twitter' rel="noopener"><span class='avia_hidden_link_text'>Share on Twitter</span></a></li><li class='av-share-link av-social-link-linkedin' ><a target="_blank" aria-label="Share on Linkedin" href='https://linkedin.com/shareArticle?mini=true&#038;title=Team%20TNT%20%E2%80%93%20The%20First%20Crypto-Mining%20Worm%20to%20Steal%20AWS%20Credentials&#038;url=https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/' aria-hidden='false' data-av_icon='' data-av_iconfont='cado-icons' title='' data-avia-related-tooltip='Share on Linkedin' rel="noopener"><span class='avia_hidden_link_text'>Share on Linkedin</span></a></li><li class='av-share-link av-social-link-mail' ><a  aria-label="Share by Mail" href='mailto:?subject=Team%20TNT%20%E2%80%93%20The%20First%20Crypto-Mining%20Worm%20to%20Steal%20AWS%20Credentials&#038;body=https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/' aria-hidden='false' data-av_icon='' data-av_iconfont='fa-fontello' title='' data-avia-related-tooltip='Share by Mail'><span class='avia_hidden_link_text'>Share by Mail</span></a></li></ul></div></div>
																				<div class="post-author-wrapper">
								<div class="about-author-title">About The Author</div>
								<div class="post-author-image">
									<img width="200" height="250" src="https://www.cadosecurity.com/wp-content/uploads/CADO-Security-Team-Chris-Doman-headshot@2x.jpg" class="avia-img-lazy-loading-1654 attachment-full size-full" alt="" loading="lazy" />								</div>
								<div class="post-author-inner-wrapper">
									<div class="post-author-name">
										Chris Doman									</div>
									<div class="post-author-description">
										Chris is well known for building the popular threat intelligence portal <a href="https://www.threatcrowd.org/" target="_blank" rel="noopener">ThreatCrowd</a>, which subsequently merged into the <a href="https://otx.alienvault.com/" target="_blank" rel="noopener">AlienVault Open Threat Exchange</a>, later acquired by AT&amp;T. Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’s <a href="https://www.wsj.com/articles/in-north-korea-hackers-mine-cryptocurrency-abroad-1515420004" target="_blank" rel="noopener">crypto-currency theft schemes</a>, and China’s attacks <a href="https://www.forbes.com/sites/daveywinder/2019/12/05/china-fires-great-cannon-cyber-weapon-at-the-hong-kong-pro-democracy-movement/#624c11297c85" target="_blank" rel="noopener">against dissident websites</a>, have been widely discussed in the media. He has also given interviews to print, radio and TV such as <a href="https://www.youtube.com/watch?v=z_0oV_hsc08" target="_blank" rel="noopener">CNN</a> and BBC News.									</div>
								</div>
							</div>
												<div class="about-cado">
							<div  style='padding-bottom:0px; font-size:20px;' class='av-special-heading av-special-heading-h4  blockquote modern-quote  av-inherit-size    '><h4 class='av-special-heading-tag '   >About Cado Security</h4><div class='special-heading-border'><div class='special-heading-inner-border' ></div></div></div>

<section class="av_textblock_section " ><div class='avia_textblock     '  ><p>Cado Security provides the first and only cloud-native digital forensics platform for enterprises. By automating data capture and processing across cloud and container environments, Cado Response enables security teams to efficiently investigate and respond to cyber incidents at cloud speed. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United Kingdom. For more information, please visit <a href="https://www.cadosecurity.com/">https://www.cadosecurity.com/</a> or follow us on Twitter <a href="https://twitter.com/CadoSecurity" target="_blank" rel="noopener noreferrer">@cadosecurity.</a></p>
</div></section>

<section class="av_textblock_section " ><div class='avia_textblock  av_inherit_color    '  style='color:#959595; ' ><p>[1]According to the Australia Cyber Security Centre (ACSC), between 1 July 2019 and 30 June 2020, the ACSC responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports.</p>
</div></section>

						</div>
						<div class="prev-next-button">
																<a href="https://www.cadosecurity.com/the-your-site-has-been-hacked-scam/" class="prev-button">Prev Post</a>
																							<a href="https://www.cadosecurity.com/introducing-our-next-stage-cado-response/" class="next-button">Next Post</a>
													</div>
					</div>
							</div>
		</div>
	</div>
</div>

		<div class="container_wrap footer-page-content footer_color" id="footer-page"><p><div id='av_section_1'  class='avia-section footer_color avia-section-default avia-no-border-styling  avia-bg-style-scroll  avia-builder-el-0  avia-builder-el-no-sibling  footer-section  container_wrap fullsize' style='  '  ><div class='container' ><main  class='template-page content  av-content-full alpha units' ><div class='post-entry post-entry-type-page post-entry-422'><div class='entry-content-wrapper clearfix'>
<div  class='flex_column_table   av-equal-height-column-flextable -flextable flex-column-table-1 ' ><div class="flex_column av_two_fifth  flex_column_table_cell av-equal-height-column av-align-top av-zero-column-padding first  avia-builder-el-1  el_before_av_three_fifth  avia-builder-el-first  footer-column-1 " ><div class="flex-column-inner"><section class="avia_codeblock_section  avia_code_block_0" ><div class='avia_codeblock ' >        <a href="https://www.cadosecurity.com" class="logo-main">
            <svg id="Logo_White" data-name="Logo White" xmlns="http://www.w3.org/2000/svg" width="439.741" height="86.317" viewBox="0 0 439.741 86.317">
                <g id="Layer_2" data-name="Layer 2">
                    <g id="Layer_1-2" data-name="Layer 1-2">
                    <path id="Path_15589" data-name="Path 15589" d="M425.371,2.29h16.423L414.423,86.413H398Z" transform="translate(-34.898 -0.197)" fill="#56c09d"/>
                    <path id="Path_15590" data-name="Path 15590" d="M461.371,2.29h16.423L450.423,86.413H434Z" transform="translate(-38.053 -0.197)" fill="#56c09d"/>
                    <path id="Path_93" data-name="Path 93" d="M68.667,56.18a28.777,28.777,0,1,1-2-29.388l11.3-8.906a43.2,43.2,0,1,0,3.5,44.8Z" transform="translate(-0.024 -0.002)" fill="#fff"/>
                    <path id="Path_94" data-name="Path 94" d="M145.595,2.28H128.807L99,86.4h15.218l7.8-23.435,4.069-12.262,11.04-33.53h.119L148.4,50.705l4.069,12.262,7.81,23.435h15.182Z" transform="translate(-8.697 -0.196)" fill="#fff"/>
                    <path id="Path_95" data-name="Path 95" d="M316.379,72.419a30.652,30.652,0,1,1,31.44.457l8.467,12.856a46.04,46.04,0,1,0-47.963-.2Z" transform="translate(-25.117 -0.001)" fill="#fff"/>
                    <path id="Path_104" data-name="Path 104" d="M224.5,2.28H198.48V54.143h14.9V15.255h9.2c22.189,0,29.269,14.063,29.269,29.342s-7.071,28.839-29.269,28.839h-24.1V86.4H224.5c28.283,0,42.443-17.785,42.443-41.814S252.784,2.28,224.5,2.28Z" transform="translate(-17.414 -0.196)" fill="#fff"/>
                    </g>
                </g>
            </svg>
        </a>
    </div></section>
<section class="av_textblock_section " ><div class='avia_textblock     '  ><p>Cado Security provides the first and only cloud-native digital forensics platform for enterprises. By automating data capture and processing across cloud and container environments, Cado Response enables security teams to efficiently investigate and respond to cyber incidents at cloud speed.</p>
</div></section>
<div  class='avia-buttonrow-wrap avia-buttonrow-left     avia-builder-el-4  el_after_av_textblock  avia-builder-el-last  footer--button-row'>
<a href='https://www.cadosecurity.com/free-investigation/'  class='avia-button  avia-icon_select-no avia-color-primary avia-size-medium'  style='margin-bottom:20px; margin-right:20px; ' ><span class='avia_iconbox_title' >Free Investigation</span></a>
<a href='https://www.cadosecurity.com/demo/'  class='avia-button  avia-icon_select-no avia-color-secondary avia-size-medium'  style='margin-bottom:20px; margin-right:20px; ' ><span class='avia_iconbox_title' >Demo</span></a>
</div></div></div><div class='av-flex-placeholder' ></div><div class="flex_column av_three_fifth  flex_column_table_cell av-equal-height-column av-align-top av-zero-column-padding   avia-builder-el-5  el_after_av_two_fifth  el_before_av_one_half  footer-menu-column " ><div class="flex-column-inner"><div  class='ep-custom-menu-element ep-custom-menu-style-horizontal   avia-builder-el-6  el_before_ep_custom_menu  avia-builder-el-first '>
					<ul id="menu-footer-menu-platform" class="menu"><li id="menu-item-744" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Platform</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-747" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/platform/"><span class="avia-bullet"></span><span class="avia-menu-text">Platform Overview</span></a></li>
	<li id="menu-item-748" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/environments/"><span class="avia-bullet"></span><span class="avia-menu-text">Environments</span></a></li>
	<li id="menu-item-749" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/use-cases/"><span class="avia-bullet"></span><span class="avia-menu-text">Use Cases</span></a></li>
</ul>
</li>
</ul>				</div>
				
				<div  class='ep-custom-menu-element ep-custom-menu-style-horizontal   avia-builder-el-7  el_after_ep_custom_menu  el_before_ep_custom_menu '>
					<ul id="menu-footer-menu-company" class="menu"><li id="menu-item-751" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Company</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-752" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/about/"><span class="avia-bullet"></span><span class="avia-menu-text">About</span></a></li>
	<li id="menu-item-755" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/team/"><span class="avia-bullet"></span><span class="avia-menu-text">Team</span></a></li>
	<li id="menu-item-754" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/careers/"><span class="avia-bullet"></span><span class="avia-menu-text">Careers</span></a></li>
	<li id="menu-item-756" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/partners/"><span class="avia-bullet"></span><span class="avia-menu-text">Partners</span></a></li>
	<li id="menu-item-757" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/news/"><span class="avia-bullet"></span><span class="avia-menu-text">News</span></a></li>
</ul>
</li>
</ul>				</div>
				
				<div  class='ep-custom-menu-element ep-custom-menu-style-horizontal   avia-builder-el-8  el_after_ep_custom_menu  el_before_ep_custom_menu '>
					<ul id="menu-footer-menu-resources" class="menu"><li id="menu-item-759" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Resources</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-3376" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/resources/"><span class="avia-bullet"></span><span class="avia-menu-text">Resources</span></a></li>
	<li id="menu-item-760" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/blog/"><span class="avia-bullet"></span><span class="avia-menu-text">Blog</span></a></li>
	<li id="menu-item-2176" class="menu-item menu-item-type-custom menu-item-object-custom"><a target="_blank" href="https://docs.cadosecurity.com/" rel="noopener"><span class="avia-bullet"></span><span class="avia-menu-text">Documentation</span></a></li>
</ul>
</li>
</ul>				</div>
				
				<div  class='ep-custom-menu-element ep-custom-menu-style-horizontal   avia-builder-el-9  el_after_ep_custom_menu  el_before_ep_custom_menu '>
					<ul id="menu-footer-community" class="menu"><li id="menu-item-761" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="javascript:void(0);"><span class="avia-bullet"></span><span class="avia-menu-text">Community</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-762" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-live/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Live</span></a></li>
	<li id="menu-item-763" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-host/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Host</span></a></li>
	<li id="menu-item-764" class="menu-item menu-item-type-post_type menu-item-object-page"><a href="https://www.cadosecurity.com/cado-cloud-collector/"><span class="avia-bullet"></span><span class="avia-menu-text">Cado Cloud Collector</span></a></li>
</ul>
</li>
</ul>				</div>
				
				<div  class='ep-custom-menu-element ep-custom-menu-style-horizontal   avia-builder-el-10  el_after_ep_custom_menu  el_before_ep_social_profiles  is-contact-menu'>
					<ul id="menu-footer-contact" class="menu"><li id="menu-item-2202" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-top-level menu-item-top-level-1"><a href="https://www.cadosecurity.com/contact/"><span class="avia-bullet"></span><span class="avia-menu-text">Contact</span><span class="avia-menu-fx"><span class="avia-arrow-wrap"><span class="avia-arrow"></span></span></span></a>


<ul class="sub-menu">
	<li id="menu-item-2203" class="menu-item menu-item-type-custom menu-item-object-custom"><a href="mailto:contact@cadosecurity.com"><span class="avia-bullet"></span><span class="avia-menu-text">contact@cadosecurity.com</span></a></li>
</ul>
</li>
</ul>				</div>
				
			<div  class='ep-social-bookmarks-wrapper   avia-builder-el-11  el_after_ep_custom_menu  avia-builder-el-last '>
				<ul class='noLightbox ep-social-bookmarks ep-align-left icon_count_3'><li class='ep-social-bookmarks ep-align-left_twitter av-social-link-twitter social_icon_1'><a target="_blank" aria-label="Link to Twitter" href='https://twitter.com/CadoSecurity' aria-hidden='false' data-av_icon='' data-av_iconfont='fa-fontello' title='Twitter' rel="noopener"><span class='avia_hidden_link_text'>Twitter</span></a></li><li class='ep-social-bookmarks ep-align-left_linkedin av-social-link-linkedin social_icon_2'><a target="_blank" aria-label="Link to Linkedin" href='https://www.linkedin.com/company/cado-security/' aria-hidden='false' data-av_icon='' data-av_iconfont='cado-icons' title='Linkedin' rel="noopener"><span class='avia_hidden_link_text'>Linkedin</span></a></li><li class='ep-social-bookmarks ep-align-left_amazon av-social-link-amazon social_icon_3'><a target="_blank" aria-label="Link to Amazon" href='https://aws.amazon.com/marketplace/seller-profile?id=38874fd2-b585-412f-992a-cf111bbca38a' aria-hidden='false' data-av_icon='' data-av_iconfont='cado-icons' title='Amazon' rel="noopener"><span class='avia_hidden_link_text'>Amazon</span></a></li></ul>			</div></div></div></div><!--close column table wrapper. Autoclose: 1 --><div  class='flex_column_table  reverse-order footer-socket av-equal-height-column-flextable -flextable flex-column-table-2 ' ><div class="flex_column av_one_half  flex_column_table_cell av-equal-height-column av-align-top first  avia-builder-el-12  el_after_av_three_fifth  el_before_av_one_half  " ><div class="flex-column-inner"><section class="av_textblock_section " ><div class='avia_textblock     '  ><p>© Copyright 2021 Cado Security</p>
</div></section></div></div><div class='av-flex-placeholder' ></div><div class="flex_column av_one_half  flex_column_table_cell av-equal-height-column av-align-top   avia-builder-el-14  el_after_av_one_half  avia-builder-el-last  " ><div class="flex-column-inner"><section class="av_textblock_section " ><div class='avia_textblock     ep-text-align-mobile-left'  ><p style="text-align: right;"><a href="https://cadosecurity.com/sitemap/">Sitemap</a> | <a href="https://cadosecurity.com/privacy-policy/">Privacy Policy</a></p>
</div></section></div></div></div><!--close column table wrapper. Autoclose: 1 --></p>
</div></div></main><!-- close content main element --> <!-- section close by builder template -->		</div><!--end builder template--></div><!-- close default .container_wrap element --></div>

			<!-- end main -->
		</div>
		
		<!-- end wrap_all --></div>

<a href='#top' title='Scroll to top' id='scroll-top-link' aria-hidden='true' data-av_icon='' data-av_iconfont='entypo-fontello'><span class="avia_hidden_link_text">Scroll to top</span></a>

<div id="fb-root"></div>


 <script type='text/javascript'>
 /* <![CDATA[ */  
var avia_framework_globals = avia_framework_globals || {};
    avia_framework_globals.frameworkUrl = 'https://www.cadosecurity.com/wp-content/themes/enfold/framework/';
    avia_framework_globals.installedAt = 'https://www.cadosecurity.com/wp-content/themes/enfold/';
    avia_framework_globals.ajaxurl = 'https://www.cadosecurity.com/wp-admin/admin-ajax.php';
/* ]]> */ 
</script>
 
 <script type='text/javascript' id='mkaz-code-syntax-prism-js-js-extra'>
/* <![CDATA[ */
var prism_settings = {"pluginUrl":"https:\/\/www.cadosecurity.com\/wp-content\/plugins\/code-syntax-block\/"};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.cadosecurity.com/wp-content/plugins/code-syntax-block/assets/prism/prism.js?ver=1637694470' id='mkaz-code-syntax-prism-js-js'></script>
<script type='text/javascript' src='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/js/dist/lazy-enabler.js?ver=1.2.8' id='avia-module-enfold-fast-lazy-enabler-js'></script>
<script type='text/javascript' src='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/js/enfold-fast-lazy.js?ver=1.2.8' id='avia-module-enfold-fast-lazy-js'></script>
<script type='text/javascript' src='https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/js/enfold-fast.js?ver=1.2.8' id='avia-module-enfold-fast-js'></script>
<script type='text/javascript' src='https://www.cadosecurity.com/wp-content/themes/cado/assets/js/main.js?ver=3' id='avia-module-main-js'></script>
<script type='text/javascript' src='https://www.cadosecurity.com/wp-includes/js/wp-embed.min.js?ver=5.8.2' id='wp-embed-js'></script>
    <link rel="stylesheet" href="https://www.cadosecurity.com/wp-content/plugins/enfold-fast/assets/css/body.css?v=1.2.8">
    	<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&family=Manrope:wght@400;700&family=Red+Hat+Text:wght@400;500;700&display=swap">
    <link rel="stylesheet" href="https://www.cadosecurity.com/wp-content/themes/cado/assets/css/body.css?v=3">
    </body>
</html>
